department of natural resources - park fees and retail sales · 13/08/2020 · natural resources...

Financial Audit Division

Office of the Legislative Auditor State of Minnesota

Department of Natural Resources – Park Fees and Retail Sales Internal Controls and Compliance Audit

August 2020

Financial Audit Division

The Financial Audit Division conducts 40 to 50 audits each year, focusing on government entities in the executive and judicial branches of state government. In addition, the division periodically audits metropolitan agencies, several “semi-state” organizations, and state-funded higher education institutions. Overall, the division has jurisdiction to audit approximately 180 departments, agencies, and other organizations. Policymakers, bond rating agencies, and other decision makers need accurate and trustworthy financial information. To fulfill this need, the Financial Audit Division allocates a significant portion of its resources to conduct financial statement audits. These required audits include an annual audit of the State of Minnesota’s financial statements and an annual audit of major federal program expenditures. The division also conducts annual financial statement audits of the three public pension systems. The primary objective of financial statement audits is to assess whether public financial reports are fairly presented. The Financial Audit Division conducts some discretionary audits; selected to provide timely and useful information to policymakers. Discretionary audits may focus on entire government entities, or on certain programs managed by those entities. Input from policymakers is the driving factor in the selection of discretionary audits.

Photo provided by the Minnesota Department of Administration with recolorization done by OLA. (https://www.flickr.com/photos/139366343@N07/25811929076/in/album-72157663671520964/) Creative Commons License: https://creativecommons.org/licenses/by/2.0/legalcode

The Office of the Legislative Auditor (OLA) also has a Program Evaluation Division. The Program Evaluation Division’s mission is to determine the degree to which state agencies and programs are accomplishing their goals and objectives and utilizing resources efficiently. OLA also conducts special reviews in response to allegations and other concerns brought to the attention of the Legislative Auditor. The Legislative Auditor conducts a preliminary assessment in response to each request for a special review and decides what additional action will be taken by OLA. For more information about OLA and to access its reports, go to: www.auditor.leg.state.mn.us.

http://www.auditor.leg.state.mn.us/

OFFICE OF THE LEGISLATIVE AUDITOR STATE OF MINNESOTA • James Nobles, Legislative Auditor

Room 140 Centennial Building, 658 Cedar Street, St. Paul, Minnesota 55155-1603 • Phone: 651-296-4708 • Fax: 651-296-4712

E-mail: [email protected] • Website: www.auditor.leg.state.mn.us • Minnesota Relay: 1-800-627-3529 or 7-1-1

August 13, 2020

Members

Legislative Audit Commission

Sarah Strommen, Commissioner

Department of Natural Resources

This report presents the results of our internal controls and compliance audit of the Department of

Natural Resources park fees and retail sales for the period July 2016 through January 2019. The

objectives of this audit were to determine if the department had adequate internal controls over

selected financial activities and complied with significant finance-related requirements.

This audit was conducted by Lori Leysen (Audit Director), Emily Wiant (Audit Coordinator),

Alec Mickelson (Senior Auditor), Paul Rehschuh (Senior Auditor), and Kris Schutta (Senior Auditor).

However, due to our required work on the state’s financial statements and Federal Single Audit, we

had to delay the completion of this audit report until July 2020.

We received the full cooperation of the Department of Natural Resources staff while performing this

audit.

Sincerely,

Lori Leysen, CPA

Audit Director

Table of Contents

Page

Report Summary ............................................................................................................... 1

Conclusions ................................................................................................................... 1

Audit Overview ................................................................................................................. 3

State Parks Overview and History ................................................................................ 3

Audit Scope, Objectives, Methodology, and Criteria . 5 ..................................................

Receipts ............................................................................................................................. 7

Separation of Duties ...................................................................................................... 9

Safeguarding Nonpublic Information ......................................................................... 10

Deposits ....................................................................................................................... 11

Point of Sale System ................................................................................................... 13

Inventory ......................................................................................................................... 17

Park Fees ......................................................................................................................... 19

List of Recommendations ............................................................................................... 21

Agency Response ............................................................................................................ 23

Internal Controls and Compliance Audit 1

Report Summary

The Department of Natural Resources (department) oversees the 75 state parks and state

recreation areas located throughout Minnesota. To manage and maintain these

recreational areas, the department’s Division of Parks and Trails receives approximately

21 percent of its funding from the General Fund, 14 percent from the Parks and Trails

Legacy Fund, and the majority of the remaining funds come from the Natural Resources

Fund, which includes fees collected at state parks and recreation areas.

The Office of the Legislative Auditor conducted this selected scope audit to determine

whether the Department of Natural Resources had adequate internal controls and

complied with significant finance-related legal requirements related to receipts collected

from state park patrons. The period under examination was July 1, 2016, through

January 31, 2019.

Conclusions

Internal Controls OLA found that internal controls over the areas in our audit scope were generally not

adequate to ensure that it safeguarded assets and ensured compliance with applicable

legal requirements.

Internal Controls

Specifically, this audit identified internal control weaknesses in the department as

follows:

Finding 1. The Department of Natural Resources did not always ensure

employee separation during the receipt process. (p. 9)

Finding 4. The Department of Natural Resources did not have adequate

controls to ensure the accuracy of deposits in the state’s accounting system.

(p. 12)

Finding 5. The Department of Natural Resources did not identify and remove

unnecessary access in its point of sale system. (p. 14)

Finding 7. The Department of Natural Resources did not always perform an

annual physical inventory or, when the department completed a physical

inventory, it did not always investigate identified differences. (p. 17)

Not Adequate

Generally Not Adequate

Generally Adequate

Adequate

2 Department of Natural Resources – Park Fees and Retail Sales

Legal Compliance The Department of Natural Resources generally complied with most finance-related

legal requirements.

Legal Compliance

However, OLA found the following issues of noncompliance, discussed more

thoroughly in the findings and recommendations in this report.

Finding 1. The Department of Natural Resources did not always ensure

employee separation during the receipt process. (p. 9)

Finding 2. The Department of Natural Resources did not always identify and

destroy instances of not public data. (p. 10)

Finding 3. The Department of Natural Resources did not always deposit

receipts in accordance with its daily deposit waiver. (p. 11)

Finding 5. The Department of Natural Resources did not identify and remove

unnecessary access in its point of sale system. (p. 14)

Finding 6. The Department of Natural Resources employees did not always use

their own unique login when using the point of sale system. (p. 15)

Finding 7. The Department of Natural Resources did not always perform an

annual physical inventory or, when the department completed a physical

inventory, it did not always investigate identified differences. (p. 17)

Did Not Comply

Generally Did Not Comply

Generally Complied

Complied


Audit Overview

This report presents the results of an

internal controls and compliance audit of

selected activities in the Department of

Natural Resources (department).

Management is responsible for

establishing internal controls to safeguard

assets and ensuring compliance with

applicable laws, regulations, and state

policies.

A strong system of internal controls

begins with management’s philosophy,

operating style, and commitment to

ethical values. It also includes processes

to continuously assess risks and

implement control activities to mitigate risks. A successful internal controls system

includes iterative processes to monitor and communicate the effectiveness of control

activities.

State Parks Overview and History

The Department of Natural Resources oversees the 75 state parks and recreation areas

located throughout Minnesota. We will refer to the state parks and recreation areas as

state parks going forward. Each year, approximately ten million visitors use state parks.

Exhibit 1 identifies the 75 state parks and recreation areas in Minnesota.

The Division of Parks and Trails, within the department, manages the state parks and

recreation areas. Its vision is to create unforgettable park, trail, and water recreation

experiences that inspire people to pass along the love of the outdoors to current and

future generations. The division receives approximately 21 percent of its funding from

the General Fund and another 14 percent from the Parks and Trails Legacy Fund. The

division receives most of the remaining revenue from the Natural Resources Fund.

State parks fees account for 17 percent of the Natural Resources Fund, which includes

fees collected for state park permits and camping, recreation, and retail activities.1

The department has a central office located in Saint Paul, which oversees the

administration of state parks. State park managers, located at most state parks, oversee

the day-to-day operations. Forty-five parks are self-managed and the remaining parks

are managed by another state park.

1 Department of Natural Resources, Department of Natural Resources Biennial Budget 2018-2019

(St. Paul), 5, https://files.dnr.state.mn.us/aboutdnr/budget/fy18-19-biennial-op-budget.pdf, accessed

May 21, 2020.

Control Environment

Risk Assessment

ControlActivities

Information and Communication

Monitoring


Exhibit 1: Minnesota State Parks and Recreation Areas

SOURCE: Minnesota Department of Natural Resources.

Visited by OLA

Not visited by OLA


Audit Scope, Objectives, Methodology, and Criteria

Receipts This audit focused on the collection of revenue from park fees and retail sales. We

designed our work to address the following questions:

Did the department have adequate controls over state park receipts?

Did the department charge the correct park fees?

Did the department collect, safeguard, and properly deposit all receipts in

accordance with legal and administrative requirements?

To answer these questions, we interviewed and performed testing at nine locations. We

judgmentally selected the central office and the two parks that generated the most revenue

during our audit scope: Itasca State Park and Gooseberry Falls State Park. These three

locations account for 15 percent of revenue collected. In addition, we randomly selected an

additional six parks, which was approximately 4 percent of revenue collected.

The Office of the Legislative Auditor (OLA) interviewed central office and park staff to

gain an understanding of the controls in place to ensure compliance with applicable

statutes, and state and department policies and procedures. To determine whether the

department had adequate internal controls and complied with legal and administrative

requirements, we:

Tested physical controls over receipts at sampled state parks by observing the

presence of safes and the collection of receipts, and conducted spot checks of

receipts on hand.

Analyzed camping, lodging, and tour fees at sampled parks and reviewed

documentation to ensure discounts were appropriate.

Reviewed documentation on-site at sampled parks, including information on

self-registration envelopes collected, to determine whether parks protected not

public data.

Randomly tested 450 of 8,850 sampled state park and the central office deposits

to determine their timeliness.

Reviewed the central office reconciliation process by testing 40 of 620 daily

reconciliations and 6 of 31 monthly reconciliations.

Reviewed security access to the point of sale system.

Randomly selected 52 of 215 active user accounts from sampled state parks and

tested the appropriateness of the roles assigned.

Inventory This audit focused on the department’s controls over its permit and retail inventory at

state park locations. We designed our work to address the following question:

Did the department design and implement controls to safeguard its permit and

retail inventory?


To answer this question, we obtained inventory reports from the department’s point of sale

system for each of the locations we visited. We conducted a physical inventory count for a

random sample of 212 retail inventory items to determine the accuracy of the inventory

counts in the point of sale system. We also requested documentation from the central

office for all annual physical inventories conducted by the parks during the audit scope.

We reviewed the documentation to determine the extent of the central office’s review.

We also requested documentation from the central office for the 2016, 2017, and 2018

park permit counts performed to ensure all counts were received and completed.

Rate Setting The audit focused on how the department set camping and lodging fees not established in

statute. We designed our work to address the following question:

Did the department set camping and lodging fees in accordance with fee-setting

guidelines established in state statute?

To answer this question, OLA interviewed department staff to assess how the

department establishes fees for camping and lodging. In addition, for each year in our

audit scope, we reviewed data from the point of sale system for parking permits,

camping, lodging, reservations, tours, and other fees, and compared those amounts

charged to the relevant Commissioner’s Order fee documentation on a sample basis.

We conducted this performance audit in accordance with generally accepted

government auditing standards.2 Those standards require that we plan and perform the

audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our

findings and conclusions based on our audit objectives. We believe that the evidence

obtained provides a reasonable basis for our findings and conclusions based on our

audit objectives. When sampling was used, we used a sampling method that complies

with generally accepted government auditing standards and that supports our findings

and conclusions. That method does not, however, allow us to project the results we

obtained to the populations from which the samples were selected.

We assessed internal controls against the most recent edition of the internal control

standards published by the U.S. Government Accountability Office.3 To identify legal

compliance criteria for the activity we reviewed, we examined state and federal laws,

state administrative rules, state contracts, and policies and procedures established by the

departments of Management and Budget, and Administration.

2 Comptroller General of the United States, Government Accountability Office, Government Auditing

Standards (Washington, DC, December 2011).

3 Comptroller General of the United States, Government Accountability Office, Standards for Internal

Control in the Federal Government (Washington, DC, September 2014). In September 2014, the State of

Minnesota adopted these standards as its internal control framework for the executive branch.


Receipts

State parks collect a majority of receipts generated from the sales of permits, camping,

lodging, and retail sales. Customers can pay by cash, check, or credit card in a state park

office, gift shop, or with a self-registration envelope. Customers can also purchase permits

and reservations online, through the call center, or at the central office.4 Customers can

purchase gift cards online, at a state park, or at the central office. The department records

all receipts in its point of sale system. Exhibit 2 shows the total receipts collected at state

parks from July 1, 2016, through January 31, 2019.

Exhibit 2: State Park Receipts by Location, July 1, 2016, through January 31, 2019

NOTES: The locations that are in bold indicate those visited by OLA. We excluded state parks and state recreation areas that were managed by another location or did not generate revenue during our audit scope.

SOURCE: Department of Natural Resources point of sale system.

4 The Department of Natural Resources manages the website. However, an external vendor manages the

call center. Our audit did not include testing of the website or call center other than reviewing the

accuracy of the revenue coming into the department’s point of sale system.

Location Total Receipts

Website $28,338,623 Itasca State Park 6,836,656 Gooseberry Falls State Park 4,028,326 Call Center 3,449,951 Tettegouche State Park 2,047,941 Jay Cooke State Park 1,440,878 Fort Snelling State Park 1,391,524 Whitewater State Park 1,363,554 Forestville Mystery Cave State Park 1,307,258 Interstate State Park 1,206,672 William O'Brien State Park 1,062,662 St. Croix State Park 1,061,958 Afton State Park 883,169 Minneopa State Park 806,918 Sibley State Park 778,922 Wild River State Park 762,132 Lake Carlos State Park 729,934 Frontenac State Park 725,487 Lake Bemidji State Park 704,857 Split Rock Lighthouse State Park 691,497 Bear Head Lake State Park 686,761 Maplewood State Park 609,375 Soudan Underground Mine State Park 602,323 Flandrau State Park 534,313 Scenic State Park 516,336 Red River State Recreation Area 513,959 Nerstrand Big Woods State Park 504,478 Father Hennepin State Park 474,507 Mille Lacs Kathio State Park 464,264 Myre-Big Island State Park 441,943 Central Office 429,042 Lake Shetek State Park 423,678

Location Total Receipts

Buffalo River State Park $ 367,520 Cascade River State Park 359,947 Temperance River State Park 355,016 Judge C.R. Magney State Park 329,841 Lake Maria State Park 329,313 McCarthy Beach State Park 318,897 Crow Wing State Park 310,757 Banning State Park 310,477 Grand Portage State Park 292,076 Camden State Park 290,350 Savanna Portage State Park 274,758 Lake Bronson State Park 273,585 Glendalough State Park 268,523 Sakatah Lake State Park 229,987 Blue Mounds State Park 229,510 Rice Lake State Park 191,419 Big Bog State Recreation Area 184,834 Lac qui Parle State Park 181,149 Great River Bluffs State Park 172,784 Charles A. Lindbergh State Park 155,753 Beaver Creek Valley State Park 153,452 Fort Ridgely State Park 149,261 Zippel Bay State Park 126,757 Split Rock Creek State Park 120,335 Hayes Lake State Park 99,755 Upper Sioux Agency State Park 81,461 Cuyuna Country State Recreation Area 80,109 Big Stone Lake State Park 74,519 Hill-Annex Mine State Park 40,540 Kilen Woods State Park 34,249 Old Mill State Park 16,667 Schoolcraft State Park 12,520

Total $72,675,005


After recording the receipt transactions in the point of sale system, the transactions are

uploaded to the department’s revenue subsystem, and then to the state’s accounting

system. The department performs various daily and monthly reconciliations at the state

parks and the central office to ensure the accuracy of park receipts as the receipts move

from local banks to the state treasury and as the documented transactions move from the

point of sale system to the department’s revenue subsystem and finally into the state’s

accounting system.

Exhibit 3 illustrates the process to collect, process, deposit, and record receipts.

Exhibit 3: Receipt Process

SOURCE: Office of the Legislative Auditor.

Receipt Collecting

• State parks, central offfice, the call center, and the website collect receipts.

Recording

• State parks, central office, the call center, and the website record transactions in the point of sale system.

Depositing

• State parks deposit cash and check receipts at local banks.

• The state bank deposits all credit card receipts in the state treasury.

• The department deposits all cash and check receipts in the state treasury.

Data Processing

• Revenue data in the point of sale system is summarized by payment type and funding source and uploaded into the department's revenue subsystem.

Financial Reporting

• Revenue totals by funding source are uploaded from revenue subsystem to the state's accounting system.


Separation of Duties

According to state policy, an employee separate from the receipt and entry process

should review and approve the daily deposits.5 Furthermore, for the receipt process at

state parks and recreation areas, the department’s revenue manual requires separate

individuals to handle cash, deposits, and reconciliations. When separation is not

possible, park managers are required to implement compensating controls to reduce risk

such as performing an unscheduled and unannounced cash count and review all

shortages in revenue deposits for any potential trends related to an employee.6

FINDING 1

The Department of Natural Resources did not always ensure employee separation during the receipt process.

At six of the eight parks sampled, we identified instances where the deposit did not

always include evidence that an employee separate from the receipt and entry process

reviewed and approved the deposits. At four of the six parks, 224 deposits sampled

indicated no such separation of duties.

Limited staffing prevents adequate separation of duties at some state park locations,

especially during the off-season. Often, a single staff person oversees all park

operations during winter months. This includes the collection of receipts, preparation

of deposits, and deposit at the local bank. We saw no evidence of compensating

controls when state parks experienced limited staffing to the extent that they could not

adequately separate duties.

There is a greater risk that receipts could be mishandled or misappropriated when the

same employee collects and deposits the receipts.

RECOMMENDATION

The Department of Natural Resources should implement compensating controls when park staff cannot adequately separate duties involved in collecting and depositing receipts.

5 Minnesota Management and Budget, Statewide Operating Policy 0602-1, Recording and Depositing

Receipts, issued July 1, 2011.

6 Department of Natural Resources, Division of Parks and Trails, Summary of Minnesota State Parks and

Trails Revenue Collection & Reporting Policies (St. Paul, 2015), 8.


Safeguarding Nonpublic Information

The department provides self-registration envelopes for customers to purchase permits

in lieu of paying at a state park office. Customers can either insert cash or check or

leave credit card information on the outside of the envelope. The customer then inserts

the envelope into a secured box. After the envelopes are collected, state park

employees process the transactions through the point of sale system, which does not

store credit card numbers.

After confirming that the transactions were processed, the state parks retain the used

envelopes for audit purposes. However, the department requires park staff to destroy or

make illegible all instances of credit card data on self-registration envelopes through

shredding or other permanent destruction methods.7

FINDING 2

The Department of Natural Resources did not always identify and destroy instances of not public data.

In most cases, we observed that state parks appropriately destroyed customer credit card

data. However, we identified 398 self-registration envelopes that had visible credit card

numbers. This represents approximately 2.5 percent of self-registration envelopes we

reviewed. In some cases, the state parks retained documentation of credit card numbers

after noting that the respective park could not process the transaction. Generally, this

occurred when a customer provided an invalid credit card number. In these

circumstances, the department’s policies do not address how long parks should retain

the documentation.

State park employees did not consistently adhere to the department’s internal policy and

the parks did not provide oversight to ensure proper handling of credit card information

by employees. According to the state parks, this was often due to unprocessed

transactions, employees forgetting to destroy the data, or employees not understanding

the policy.

RECOMMENDATIONS

The Department of Natural Resources should destroy credit card information immediately following the processing of a transaction.

The Department of Natural Resources should revise its policy on how long a park should retain credit card information for unprocessed transactions.




Deposits

State statute requires agencies to deposit cash and check receipts exceeding $1,000

daily. However, an agency can request a waiver if it can demonstrate that the cost of

making daily deposits exceeds the lost interest earnings and the risk of loss or theft of

the receipts.8

Due to the remote locations and limited staff at some state parks, the department has an

approved waiver from the daily deposit requirement, which also includes the central

office. The waiver allows most state parks up to four days to deposit receipts exceeding

$1,000 during the period from May 1 through September 30, and up to 14 days to

deposit receipts during the period from October 1 through April 30. The waiver allows

Itasca State Park only two days to deposit receipts from May 1 through September 30,

and four days from October 1 through April 30. State parks keep receipts in a safe until

deposited.

FINDING 3

The Department of Natural Resources did not always deposit receipts in accordance with its daily deposit waiver.

We identified instances at all sampled locations where staff did not deposit receipts

within the required timeframe. Out of the 450 deposits tested, we identified 12 that

were not deposited timely. These untimely deposits were between one and eight days

late. The location with the highest rate had 5 untimely deposits out of 60 sampled

deposits totaling $7,458.

In addition, we were unable to conclude on the timeliness of 34 samples due to data

limitations in the point of sale system. The data available in the system, prior to the

March 2018, included transaction dates but not payment types. Because of this, we

were not always able to determine when the collected cash and check receipts exceeded

$1,000.

Furthermore, we observed unprocessed self-registration envelopes at two state parks.

The combined total of unprocessed cash, check, and credit card receipts for the two

locations was an estimated $11,924.9 This puts receipts at a higher risk because they

could become unaccounted for or misappropriated if loss or theft occur.

The department stated that limited staffing and seasonality at some park locations

prevented staff from making timely deposits.

8 Minnesota Statutes 2019, 16A.275.

9 We calculated the estimate based on one daily $7 permit per envelope.


RECOMMENDATION

The Department of Natural Resources should ensure timely deposits in accordance with state statute.

State policy requires an agency to establish policies and procedures to ensure the

accuracy of deposits in the state’s accounting system.10 These policies and procedures

should include an employee, who is separate from the collection, deposit, and entry of

receipts, to reconcile deposits in the state’s accounting system at least once a month.

At each state park location where receipts are collected, an employee performs a daily

reconciliation by comparing cash and checks received to the bank deposit and to the

point of sale system. At some parks, the reconciliation includes a comparison of cash

and checks to the department’s revenue subsystem, as well. The parks do not include

credit card transactions in the daily reconciliations. Instead, the department relies on

the point of sale system vendor to identify any differences between credit card

transactions in the point of sale system and the transactions cleared through the credit

card processing vendor.

The central office then performs a daily reconciliation of credit card receipts in the state

treasury to its revenue subsystem and a monthly reconciliation by comparing all

receipts, including cash, checks, and credit cards, recorded in its revenue subsystem to

the state’s accounting system. The department adjusts the revenue subsystem to match

the bank balance but does not always investigate identified differences.

FINDING 4

The Department of Natural Resources did not have adequate controls to ensure the accuracy of deposits in the state’s accounting system.

The department did not identify an error in its point of sale system that resulted in

approximately $80,000 of lost revenue in calendar year 2017. From May 2017 through

August 2017, the point of sale system automatically voided some credit card payments.

However, the system still showed these transactions as paid. For example, if a customer

reserved a campsite using a credit card, the system showed that the reservation was

paid, but the system voided the transaction before the department could deposit the

transaction in the bank. Although the central office identified variances when

performing daily reconciliations during this time, it took no action to identify the cause

of the variances. Instead, the department continued to make adjustments in its revenue

subsystem to match the bank balance. There is no established threshold for an

adjustment and the department did not always investigate identified differences.

10 Minnesota Management and Budget, Statewide Operating Policy 0602-1, Recording and Depositing

Receipts, issued July 1, 2011.


In August 2017, a customer contacted the department to modify their park reservation.

In modifying the reservation, the department saw that the customer was never charged.

The department contacted the point of sale system vendor but believed the issue to be

isolated. The department was not aware of the pervasiveness of the issue. Instead, the

vendor identified the error and credited the state $20,696 in October 2018. As of the

end of our audit, the department did not calculate the entire error or pursue payment for

the total amount of the error.

Because the department does not have an established threshold to determine when

identified differences should be investigated and no internal control to provide oversight

over the reconciliation process, the department increases its risk of lost revenue or

misappropriated funds.

RECOMMENDATIONS

The Department of Natural Resources should implement procedures to complete a full reconciliation of state park receipts between the point of sale system and the state’s accounting system.

The Department of Natural Resources should determine the amount of remaining lost revenue and seek vendor reimbursement.

Point of Sale System

In 2011, the department contracted with an external vendor for its point of sale system.

The system records all retail inventory, reservations, and sales. The department

upgraded to a web-based system in March 2018, which allows an active user to access

the system from a state or non-state computer. The point of sale system has defined

user roles. Based on an employee’s position and job duties, the department assigns

them as an administrator, super manager, manager, or cashier. Administrators have the

most access and are able to modify their own role along with all other roles. Each role

is customizable, which allows the department to assign permissions other than those

initially assigned to a role.

According to state policy, “Identity and access management controls must be in place to

ensure users, systems, applications and networks have appropriate access to only that

which is necessary to perform their function.”11 Furthermore, the creation and

modification of accounts must be documented and approved, user accounts must be

reviewed at least annually, inactive accounts must be disabled after 90 days and deleted

within one year, and accounts no longer required must be removed or disabled within

eight hours depending on cause.12

11 Minnesota IT Services, “Identity and Access Management Policy,” version 1.4, effective January 1,

2016.

12 Minnesota IT Services, “Enterprise Identity and Access Management Standard,” version 1.3, effective

January 1, 2016.


FINDING 5

The Department of Natural Resources did not identify and remove unnecessary access in its point of sale system.

The department did not implement the state policy on user access nor did it create an

internal policy or procedure. The department assigned two administrators at the central

office to manage the point of sale system and to grant super manager access to all park

managers. Super managers and managers are then able to assign and modify roles to

their employees. The administrators do not approve access or modifications for any of

the roles assigned. Furthermore, there was no documentation of who had access and, if

a role had been modified. The department was not able to produce an audit trail of the

permissions assigned to any one employee.

We reviewed the security access assigned to employees at the central office and the

eight state parks we visited. Of the 52 user accounts we sampled, we identified the

following unnecessary access at four parks and the central office:

Six former employees had active user accounts.

Three employees, who transferred parks, retained user accounts at the former

park.

The department retained nine generic accounts that were no longer in use.

Two employees at the central office had excessive administrator access rights

based on their position title; the department was not able to identify why these

employees needed this level of security access.

By not identifying and removing unnecessary access to the system, the department

increased the risk that employees could inappropriately modify information in the point

of sale system.

RECOMMENDATIONS

The Department of Natural Resources should perform an annual review of user accounts to ensure appropriate access to the point of sale system and immediately terminate unnecessary access.

The Department of Natural Resources should design and implement a control to track access authorizations, modifications, and terminations in its point of sale system.


According to the department’s internal policy, “All employees…responsible for

processing transactions…must be assigned a unique log on id and use only that id when

completing transactions.”13 Although some locations may only have one cash register,

it is still required that employees use their own login credentials when processing

transactions through the point of sale system.

FINDING 6

The Department of Natural Resources employees did not always use their own unique login when using the point of sale system.

At three of the state parks tested, we observed employees using the login credentials of

another employee. Furthermore, on the dates we visited, we observed one park’s

employees leaving the cash drawer ajar throughout the day. State parks stated that it

was easier to have one person log in for the day as opposed to logging in and out each

time a transaction occurs.

RECOMMENDATION

The Department of Natural Resources should enforce the requirement for employees to use their own unique login when using the point of sale system.




Inventory

All state parks manage inventory. For retail inventory, some parks may only sell a few

souvenirs in the park office while larger parks, such as Itasca and Gooseberry Falls,

have a separate gift shop(s) selling many retail items. We identified 62 parks and

recreation areas with retail sales during the audit scope. All locations sell daily and

annual permits, which include sales through the central office, the call center, and the

department’s website, as well.

State parks maintain retail inventory records in the point of sale system. State parks

record inventory in the system when items are received and the system updates

quantities on hand when items are sold. At the end of the calendar year, the department

requires a physical count of inventory. However, there is no documented policy

identifying this requirement. Each park will generate inventory reports directly from

the point of sale system, count the actual inventory on hand, and update the records in

the system. Itasca State Park, Gooseberry Falls State Park, and the central office hire a

contractor to perform the physical inventory count. State parks send completed

inventory reports to the central office.

State parks do not maintain permit inventory in the point of sale system. Instead, the

parks retain purchase orders and invoices to assist in a physical, year-end count of

annual permits, required by the department. However, there is no documented policy

identifying this requirement. State parks will calculate the ending permit totals based

on beginning totals and purchases, transfers, sales, discounted permits, and voids that

occur during the year. Each park will then compare the calculated total with its

physical count of remaining permits. State parks send completed counts to the central

office, and the parks retain the permits for sale in the following year.

FINDING 7

The Department of Natural Resources did not always perform an annual physical inventory or, when the department completed a physical inventory, it did not always investigate identified differences.

We found that the central office did not verify whether all state parks completed an

annual, retail inventory. In addition, the central office did not always review the

completed inventory reports. For calendar years 2016, 2017, and 2018, the central

office did not have documented evidence that 65 of an expected 186 annual physical

retail inventories were completed.

We also found that when state parks identify retail inventory differences, they are not

required to investigate or reconcile any variances. Instead, the park adjusts the count in

the system to reflect the physical count. In our testing, we identified three state parks

with differences. At one park, 25 of the 40 inventory items tested did not match the

count recorded in the system.


Additionally, while the central office did ensure that parks conducted all permit counts

during our audit scope, it did not review the counts or follow up on any noted

differences. We reviewed and tested the 2017 permit counts at the sampled state parks

and identified that sampled state parks were not able to account for 209 annual permits

out of the 38,050 available for sale. Without oversight of the annual retail inventories

and permit counts, there is an increased risk that inventory could be lost or stolen.

RECOMMENDATION

The Department of Natural Resources should document an inventory policy to address the accuracy of inventory records.


Park Fees

Minnesota statutes establish state park vehicle permit fees, and the department

establishes fees for camping, lodging, and other state park uses. Minnesota statutes

require the department to set fees “in a manner and amount consistent with the type of

facility provided for the accommodation of guests in a particular park and with similar

facilities offered for tourist camping and similar use in the area.”14

The department reviews park fees for camping, lodging, and tours each year and

establishes fees two years in advance. The department considers public demand and

compares fees at state parks with those charged by other local public and private

providers. We did not identify any issues in how rates were set and charged.

14 Minnesota Statutes 2019, 85.052. subd. 3.


List of Recommendations

The Department of Natural Resources should implement compensating controls when park staff cannot adequately separate duties involved in collecting and depositing receipts. (p. 9)

The Department of Natural Resources should destroy credit card information immediately following the processing of a transaction. (p. 10)

The Department of Natural Resources should revise its policy on how long a park should retain credit card information for unprocessed transactions. (p. 10)

The Department of Natural Resources should ensure timely deposits in accordance with state statute. (p. 12)

The Department of Natural Resources should implement procedures to complete a full reconciliation of state park receipts between the point of sale system and the state’s accounting system. (p. 13)

The Department of Natural Resources should determine the amount of remaining lost revenue and seek vendor reimbursement. (p. 13)

The Department of Natural Resources should perform an annual review of user accounts to ensure appropriate access to the point of sale system and immediately terminate unnecessary access. (p. 14)

The Department of Natural Resources should design and implement a control to track access authorizations, modifications, and terminations in its point of sale system. (p. 14)

The Department of Natural Resources should enforce the requirement for employees to use their own unique login when using the point of sale system. (p. 15)

The Department of Natural Resources should document an inventory policy to address the accuracy of inventory records. (p. 18)

Minnesota Department of Natural Resources | Commissioner’s Office Equal Opportunity Employer 500 Lafayette Road North, St. Paul, Minnesota 55155 This material is available in alternate formats. www.dnr.state.mn.us

1

August 11, 2020

James R. Nobles

Legislative Auditor

Office of the Legislative Auditor

Centennial Building, Room 140

658 Cedar St.

St. Paul, MN 55155-1603

Subject: Minnesota Department of Natural Resources (DNR) response to the Office of the Legislative Auditor

(OLA) audit of park fees and retail sales

Dear Auditor Nobles:

Thank you for the opportunity to review and respond to the Office of Legislative Auditor’s (OLA) findings and

recommendations resulting from the recent park fees and retail sales audit for the period of July 2016 through

January 2019. We appreciate the professional review conducted in the OLA audit. The Minnesota Department of

Natural Resources (DNR) takes very seriously our responsibility to implement internal controls to safeguard

public assets and ensure compliance with laws, rules and policies. Therefore, we also appreciate the objective

evaluation and recommendations for improvement that the OLA audit provides. It is in this spirit of continuous

improvement that the DNR offers the following specific responses to the audit findings and recommendations.

Audit Finding #1

The DNR did not always ensure employee separation during the receipt process.

Audit Recommendation: The DNR should implement compensating controls when park staff cannot

adequately separate duties involved in collecting and depositing receipts.

DNR response: The agency concurs with the finding that the Division of Parks and Trails did not always ensure

separation of duties in the receipting process, and the recommendation that additional compensating controls

are needed.

The DNR will take the following Corrective Actions:

1.1 Implement a more robust tracking and accountability procedure to ensure compliance with

compensating controls. As the OLA audit acknowledges, separation of duties is not always possible at

state parks that have limited staffing, especially during off-peak times of the year. To address this, unit

supervisors are required to submit a risk assessment plan, including compensating controls to address

identified risks associated with low staffing, for the sites that collect and deposit receipts. The Division of

2 | P a g e

Parks and Trails will take the following actions to strengthen both the compensating controls in these

plans and the implementation of these controls across the system:

a. The Division and Fiscal Services (DFS) section manager will lead a team to develop and document a

system of standardized compensating controls for collecting and depositing receipts consistent with

the approved Parks and Trails deposit waiver no later than December 1, 2020. These policies and

procedures will include a system to monitor compliance and accountability and include corrective

actions for non-compliance. The DFS section manager will ensure that the Division of Parks and

Trails fully implements compensatory controls regarding separation of duties by January 1, 2021.

b. The DFS section manager will oversee the revision of the Parks and Trails Revenue Manual by

December 1, 2020, and will provide revenue-handling training, including the use of compensating

controls, to all division staff responsible for implementing and overseeing revenue operations no

later than January 1, 2021, and annually thereafter. The training will also be provided to new

employees, as applicable, during the onboarding process.

c. The division will include periodic communication on the importance of compliance with fiscal

controls to all Parks and Trails staff through the division newsletter and email. These

communications will include reminders of policies, procedures and best practices.

d. Unit supervisors will provide ongoing oversight, monitoring and documentation of all revenue

operations within the unit, consistent with the monitoring systems and the standardized

compensating controls addressed in Corrective Action 1.1a. Unit supervisors will complete risk

assessments for each location by January 1, 2021. They will also implement the policies and

procedures articulated in Corrective Action 1.1b to ensure staff compliance with all revenue

handling responsibilities, including compensating controls, no later than January 1, 2021.

e. District supervisors will be responsible for quarterly monitoring and documentation of compliance

by unit supervisors within the district beginning January 1, 2021. If non-compliance is identified, the

nature of the non-compliance and the resulting corrective actions will be documented and reviewed

with the regional manager, and also shared with the DFS manager.

f. The DFS manager will at least annually review documentation, identify any patterns in incidences of

non-compliance and system-level corrective actions needed to avoid future noncompliance, and

adjust training and communications accordingly. The DFS manager will also maintain the records on

the I:\drive to document and ensure compliance.

Audit Finding #2

The DNR did not always identify and destroy instances of not-public data.

Audit Recommendation: The DNR should destroy credit card information immediately following the

processing of a transaction.

Audit Recommendation: The DNR should revise its policy on how long a park should retain credit card

information for unprocessed transactions.

3 | P a g e

DNR response: The agency concurs with the finding that staff did not consistently comply with the existing

policies and procedures regarding retention of data, and the recommendations that the policies should always

be followed and also should be revised to address unprocessed transactions.

The DNR will take the following Corrective Actions, some of which have already been implemented:

2.1 Revise the practice of redacting data. It is evident that some Division of Parks and Trails procedures

need revision to better guide staff in meeting the requirement of protecting not-public data. Based on

the information shared at the OLA field exit interview last summer, the following actions have already

been taken:

a. In October 2019, the division discontinued the practice of using a black permanent marker to redact

credit card data on self-pay envelopes. Not-public data on the envelopes is now cut away from the

original document and shredded once the transaction has been validated.

b. In October 2019, staff were reminded to keep all not-public data needed for future verification

locked in a secure location and only make it available to those who need it for a business purpose.

This policy will be included in the revised Parks and Trails Revenue Manual and will be reinforced in

associated training materials delivered at least annually.

2.2 Ensure compliance with redaction of not-public data requirements. It is the local unit supervisor’s

responsibility to ensure that staff comply with procedures developed to protect non-public data.

a. Unit supervisors will monitor compliance to ensure that staff processing self-pay envelopes

promptly destroy not-public data after transactions are validated. The DFS manager will send an

email to all unit supervisors about the importance of this practice by September 15, 2020, and at

least annually thereafter. This need will also be emphasized in annual training.

b. Unit supervisors will proactively communicate and reinforce the importance of complying with the

redaction requirement, and will document non-compliance along with the appropriate corrective

action in the employee’s personnel file, up to and including progressive disciplinary actions if

necessary. Communications will occur at least annually, in association with annual training.

c. District supervisors will be responsible for quarterly monitoring and documentation of compliance

by unit supervisors within their district (as developed in corrective action 1.1b above) and for

implementing corrective actions for non-compliance. This quarterly monitoring for compliance with

redaction of not-public data requirements will begin no later than January 1, 2021.

2.3 Revise policy on retaining credit card information for unprocessed transactions. The Division of Parks

and Trails will clarify the policy for retaining, protecting and destroying not-public data related to the

revenue system. Some actions have already been taken, and others are in process, as follows:

a. In October 2019, the DFS section provided the following guidance to staff on credit card transactions

that do not correctly process: Following the first attempt, staff verify that the credit card numbers

were entered correctly. Following the second attempt, staff attempt to contact the cardholder to

verify the number. If these attempts are unsuccessful, staff note the failure on the self-pay envelope

4 | P a g e

and deposit records and then destroy the not-public data. The self-pay envelopes are retained for

audit.

b. The DFS section manager will include this policy and procedure in the revised Parks and Trails

Revenue Manual and associated training materials, to be completed by December 1, 2020, and will

ensure that unit supervisors receive training on the new procedures by January 1, 2021.

c. The unit supervisor will ensure that all revenue-handling staff understand the policies on retaining,

protecting and destroying not-public data related to the park revenue system.

2.3 Continue to explore alternatives to self-pay envelopes. A move away from self-pay envelopes would

avoid the need to collect not-public data in the first place, thereby eliminating any risk that the data are

not properly destroyed. The division began a pilot project to use electronic pay stations in five parks in

the fall of 2019. In recent months, the DNR has had some success in using QR codes to encourage online

payments via internet-enabled mobile phones. The DFS manager will continue to explore alternatives to

using envelopes to conduct self-pay transactions and to provide more secure fee collection boxes at

locations where electronic options are not available, and, in some instances, may not be feasible. By

April 1, 2021, the DFS manager will convene a group to develop a plan to reduce the use of fee

collection boxes over the next five years.

2.4 Reinforce and enhance staff training. The DFS section manager will develop a division-specific

Enterprise Learning Management (ELM) training and a revised Parks and Trails Revenue Manual to

clarify the retention policies and procedures with regard to processing transactions. The training will be

developed by December 1, 2020, with the expectation that unit supervisors have completed it by

January 1, 2021, and that all seasonal staff have completed it by May 31, 2021, and annually thereafter.

Unit supervisors will ensure that all staff who process transactions complete this training by May 31 of

each year. The ELM system will allow unit supervisors to track who has completed the training each

spring, to ensure staff are training on an annual basis. The DFS reservation coordinator will disable user

logins for all staff who do not complete training by May 31 each year.

Audit Finding #3

The DNR did not always deposit receipts in accordance with its daily deposit waiver.

Audit Recommendation: The DNR should ensure timely deposits in accordance with state statute.

DNR Response. The agency concurs with the finding that staff did not always deposit receipts in accordance

with required timelines and the recommendation to ensure timely deposits in accordance with state statute.


3.1 Ensure compliance with the specified timelines in state statutes and existing daily deposit waivers.

Division of Parks and Trails staff are not always ensuring that receipts are deposited in accordance with

the approved deposit waiver timelines. These situations usually arise from reduced off-peak staffing

levels.

5 | P a g e

a. The DFS section manager will review the audit findings with unit supervisors, remind them of

current practices, and share interim corrective actions by September 15, 2020. The DFS section

manager will convene a group of unit supervisors and DFS fiscal staff to determine how best to

ensure compliance and more effective handling of deposits; the recommendations of the group will

be documented and implemented by January 1, 2021.

b. Unit supervisors will be responsible for ongoing oversight, monitoring and documentation of all

revenue operations within the unit, consistent the standardized compensating controls identified in

1.1a. Unit supervisors will monitor compliance with the deposit waiver and will document any

incidents of failure to comply and the appropriate corrective action taken to prevent reoccurrence.

c. District supervisors will be responsible for monitoring and documenting compliance by unit

supervisors within their district and for implementing corrective actions for non-compliance, which

will begin on January 1, 2021.

d. Every January, the DFS section manager will compile and review all deposit violation forms and will

provide a summary to the deputy director. The DFS manager will at least annually review

documentation, identify any patterns in incidences of non-compliance and system-level corrective

actions needed to avoid future noncompliance, and adjust training and communications accordingly.

The DFS manager will also maintain the records on the I:\drive to document and ensure compliance.

Audit Finding #4

The DNR did not have adequate controls to ensure the accuracy of deposits in the state’s accounting system.

Audit Recommendation: The DNR should implement procedures to complete a full reconciliation of state

park receipts between the point of sale system and the state’s accounting system.

Audit Recommendation: The DNR should determine the amount of remaining lost revenue and seek

vendor reimbursement.

DNR Response: The agency concurs that the controls to ensure the accuracy of deposits in the state’s

accounting system need to be examined and modified to ensure a full reconciliation between the vendor’s

system and the state accounting system. The agency also concurs with and has implemented, as documented

further in 4.3 below, the recommendation to determine and seek vendor reimbursement of the full amount of

lost revenue.


4.1 Review and improve the reconciliation process and procedures. The Division of Parks and Trails and

OMBS are responsible for reconciliation between SWIFT, WIRES and any applicable sub-system. The

reconciliation process is conducted daily by the DFS section revenue staff. When a delay of more than a

day in payment to the bank from a credit card company occurs, DFS revenue staff have a tracking

procedure that documents the resulting daily overages and shortages. Staff add a correcting entry to

temporarily balance the account for the day of the credit card purchase and flag the transaction. If the

flagged transaction is not reconciled by the end of the week, DFS revenue staff contact the gateway

6 | P a g e

provider to reconcile payment and follow up on any discrepancies. Better documentation of this process

is needed, and the following actions will be taken to strengthen the reconciliation process:

a. By January 1, 2021, the DFS manager will review, revise and document this reconciliation process in

consultation with OMBS, the reservation system vendor, the gateway provider, and Parks and Trails

fiscal staff to ensure full documentation and reconciliation of receipts between the point of sale

system and the state’s revenue systems.

b. The DFS section manager will work with OMBS staff to establish a standardized process to review,

reconcile and document discrepancies by January 1, 2021.

4.2 Review the threshold above which discrepancies will be investigated and establish a standardized

discrepancy investigation process. The Parks and Trails Revenue Manual currently indicates that any

revenue shortage in excess of $50 must be investigated and signed off on by the unit supervisor. When a

discrepancy is found, the information is provided to DFS revenue staff. DFS staff then review the fiscal

reports from the reservation and accounting systems, and resolve or document the discrepancies in the

WIRES report. Patterns of discrepancies are documented and reported to the reservation coordinator

and/or the Parks and Trails business manager to investigate.

a. By December 1, 2020, the DFS manager will work with OMBS staff to review the specific threshold

for investigating discrepancies in receipting and to establish a standardized process to review,

reconcile and document discrepancies.

b. Unit supervisors will be responsible for ongoing oversight, monitoring and documentation of all

revenue operations within the unit, consistent with the policies and procedures outlined in the

Parks and Trails Revenue Manual. Unit supervisors are also responsible for timely addressing and

documenting all instances where discrepancies above this threshold occur and the corrective action

taken to both resolve the specific instance and prevent reoccurrence.

c. District supervisors will be responsible for quarterly monitoring and documentation of compliance

by unit supervisors within their district and for implementing corrective actions for non-compliance,

which will begin on March 31, 2021.

4.3 Determine and recover lost revenue due to the auto-void. Prior to the audit commencing, the DNR

began working with the vendor to identify and document a system flaw whereby the reservation system

software could automatically void a transaction prior to funds being deposited. This flaw was also

identified by the OLA. Voids are common when customers either change their minds mid-transaction or

make a reservation error and back out of the system. Consequently, it was difficult to catch errors that

resulted in actual lost revenues. It is only when park staff checked someone into a campsite, and found

that a payment wasn’t processed, that the discrepancy in payment was found. Parks and Trails staff

have identified and recovered the total revenue loss. Specifically, a contract amendment was fully

executed on February 27, 2020 to reduce the total payout to the vendor by $133,417.16 as a means of

recovering the remaining lost revenue (this includes $80,000 to address the auto-void error and

$53,417.16 to address call center response time issues).

7 | P a g e

Audit Finding #5

The DNR did not identify and remove unnecessary access in its point of sale system.

Audit Recommendation: The DNR should perform an annual review of user accounts to ensure

appropriate access to the point of sale system and immediately terminate unnecessary access.

Audit Recommendation: The DNR should design and implement a control to track access authorizations,

modifications, and terminations in its point of sale system.

DNR Response: The agency concurs with the finding that the agency did not identify and remove unnecessary

access to the system and the recommendations to address the finding.


5.1 Conduct regular reviews of user accounts and update training materials and manuals. In October 2019,

the Division of Parks and Trails conducted a training that emphasized the need to suspend access that is

no longer needed, and reviewed the roles and responsibilities of staff who grant that access. Consistent

with MNIT Identity and Access Management Standards, the DNR implemented new procedures on

January 29, 2020 to better manage access to the system. The DNR is putting into place these additional

measures to assure full compliance with the MNIT standard by the end of 2020:

a. The DFS reservation coordinator will send out monthly reports of access roles and use to the unit

and district supervisors, who will review for compliance with unique logins and for any unnecessary

logins in need of suspension.

b. Unit supervisors will immediately suspend access for employees separating from service or going on

seasonal layoff. They will also review and manage user access at least monthly to ensure user

access is correct and up-to-date.

c. District supervisors will quarterly review employee access and ensure that proper access roles are

established.

d. By December 31 each year, the reservation coordinator will ensure the division is meeting the MNIT

standards through the following actions:

i. Spot check access documents to ensure appropriate access suspensions have been made.

ii. Review the access roles for the system and update manuals and training materials as needed.

iii. Add the following information to the MNIT access report: 1) who authorized access for each

person included in the report, 2) the job classifications for both those who authorized access

and those having access, and 3) a comment field to note any special circumstances.

iv. Review the access report to ensure that similar job classifications have the same level of

access and that those authorizing access are also at the same job class. Include a justification

for any special circumstances in the comment field and review/revisit each year.

v. Unit supervisors will work with the reservation coordinator annually to review the staff access

and assess whether the access level assigned to each staff member is appropriate for their

work responsibilities.

8 | P a g e

vi. Information on managing user access will be included in the updated Parks and Trails Revenue

Manual and associated trainings.

5.2 Design and implement an automated procedure to deactivate access after 30 days of inactivity. The

DNR’s reservation and point-of-sale system is provided by a third party. At the time of the audit, the

vendor’s system did not have a mechanism to automatically manage access to the system after a period

of inactivity; instead, this had to be accomplished manually. In November 2019, the DFS manager began

working with the vendor to program an automatic deactivation of users if they have not used the system

within a 30-day period. This is equivalent to what is programmed into SWIFT and SEMA4 to manage user

access. A deadline of March 31, 2021 has been established for the vendor to implement this tool.

Audit Finding #6

The DNR employees did not always use their own unique login when using the point of sale system.

Audit Recommendation: The DNR should enforce the requirement for employees to use their own unique

login when using the point of sale system.

DNR Response: The agency concurs with the finding that DNR employees did not always use their unique system

login and with the recommendation that the DNR should fully enforce the requirement.


6.1 Increase oversight of staff and conduct unscheduled site visits to ensure compliance. DNR will enforce

compliance with this requirement through increased unit supervisor oversight, emphasizing the reasons

for and importance of this requirement, and peer discouragement of using another staff member’s

login. The following actions will be taken:

a. Unit supervisors will be required to proactively reinforce the reason for and importance of this

requirement and document, with corrective actions up to and including progressive discipline, all

instances where staff are observed in non-compliance (those allowing the use of their login and

those using a login not their own).

b. The DFS reservation coordinator will send out monthly login and use reports to the unit supervisors,

who will review for compliance with unique logins and for any unnecessary logins in need of

suspension.

c. District supervisors will quarterly observe and document front-desk transactions and ensure internal

control practices are being followed by all units in their district.

d. Assistant regional managers will be responsible for tracking spot-check documentation by the

district supervisors and will submit that documentation to the DFS manager in October of each year.

Documentation will be reviewed with regional staff in December of each year.

9 | P a g e

6.2 Establish a shortened automatic logout timeframe. Since staff are not consistently complying with the

requirement that they use their unique log in for transactions they complete, DNR implemented on

August 6, 2020 an automatic logout after 5 minutes of inactivity (previous logout window was every 15

minutes) as a way to prompt and enhance compliance. This is similar to the automatic logout

implemented by MNIT for state computers. If compliance has not improved by October 31, 2021 (as

measured by three quarters of district supervisor observations according to 6.1c), the DFS manager will

work with the vendor to log out users automatically after every transaction.

Audit Finding #7

The DNR did not always perform an annual physical inventory or, when the department completed a physical

inventory, it did not always investigate identified differences.

Audit Recommendation: The DNR should document an inventory policy to address the accuracy of

inventory records.

DNR Response: The agency concurs with the finding that local units did not always perform and/or document an

annual physical inventory and investigation of differences and the recommendation that DNR should document

an inventory policy to address the accuracy of inventory records.


7.1 Ensure staff at every local unit follows a standard process to complete an annual physical retail

inventory, document the inventory in a report, and file the report in a central location. All completed

inventory audits (permits and sales merchandise) are required to be submitted electronically to the

Visitor Services and Outreach (VSO) section’s state program coordinator on forms approved for this

purpose. Permit audits are conducted each January and submitted in February. Merchandise audits are

conducted between October and November for retail locations that close for the cold-weather season,

and between January and February for the central warehouse and those locations that are open year

round. Reports are submitted no later than one month after close or after the independent vendor

counts are done. The following actions are being taken to ensure compliance with this established

control:

a. The Visitor Services and Outreach (VSO) section manager will lead a team to review and revise retail

inventory policies and standardized procedures for the Division of Parks and Trails no later than April

1, 2021. The policies and procedures will address the inventory control, reconciliation and reporting

for retail inventory. They will also include monitoring compliance and accountability including

corrective actions for non-compliance. These policies and procedures will be included in the Parks

and Trails Revenue Manual.

b. The VSO section will provide inventory management training, including inventory control,

reconciliation and reporting requirements to all division staff responsible for implementing and

overseeing retail operations no later than April 1, 2021 and to all applicable new employees as part

of their onboarding process.

c. Unit supervisors will be responsible for implementing inventory management procedures and

ensuring compliance with all policies and procedures in units they manage.

10 | P a g e

d. District supervisors are responsible for monitoring and documenting compliance by unit supervisors

within their district and for implementing corrective actions for non-compliance, which will begin on

April 1, 2021.

e. The VSO state program coordinator will ensure that all annual inventory reports are filed on the DNR

internal I:\drive by March 1 each year.

f. The VSO section will review documentation including compliance and corrective actions and

maintain the records on the I:\drive annually to ensure compliance by January 1, 2021.

g. The VSO state program coordinator will review the documents and report any questionable or

potential systemic patterns to the VSO manager for further investigation. All related documentation

of any corrective actions taken will be securely stored the DNR internal I:\drive

7.2 Establish a threshold for when to investigate retail inventory discrepancies. The VSO section manager

will work with a group of retail staff, unit supervisors, and central office fiscal staff to determine a

process by which discrepancies above an industry-standard threshold (for example, 2-5% is regarded as

standard “shrinkage”) must be investigated, including a timeline for reconciling those discrepancies. The

work group will develop and implement a new review process by January 1, 2021. Fall/winter 2020

inventories will be reviewed before reopening in the spring of 2021 using this new process.

7.3 Ensure compliance with monthly spot checks. The Parks and Trails Revenue Manual indicates locations

with merchandise for sale should conduct a random inventory spot check on a monthly basis. A recent

survey indicated that only a few sites were conducting these checks. If they were conducted, it was

usually for firewood inventory, and the spot checks were often not documented.

a. The VSO section manager will work with retail staff to develop new training and standard

documentation for spot checks that will be implemented in January 2021. This will include

emphasizing with retail staff and supervisors the importance of compliance with this requirement to

further ensure – and demonstrate – our commitment to excellence in public service and fiscal

management.

b. Unit supervisors will be responsible for implementing inventory management procedures and


c. District supervisors will be responsible for quarterly monitoring compliance by unit supervisors

within their district and for implementing corrective actions for non-compliance.

7.4 Use the permit inventory process to annually reconcile differences. Parks and Trails will review and

revise its permit inventory policies and procedures by January 1, 2021. This information will be included

in the Parks and Trails Revenue Manual.

a. Unit supervisors will be responsible for implementing permit audit policies and procedures and


b. District supervisors will be responsible for quarterly monitoring and documenting compliance by

unit supervisors within their district and for implementing corrective actions for non-compliance,

which will begin on April 1, 2021.

11 | P a g e

c. In February of each year, the VSO reservation system coordinator will review annual permit audits

and reconcile counts between the units and central inventory. The VSO state program coordinator

will provide a report of discrepancies to the VSO section manager.

d. Audits will be filed on the DNR internal I:\drive with all audit paperwork. The VSO section manager

will review the audit and investigate any discrepancies by April 1 each year.

Thank you again for the opportunity to review and discuss the OLA findings and recommendations resulting

from the recent park fees and retail sales audit, and to provide this response. DNR is committed to developing

and rigorously implementing the corrective actions identified here, to ensure the findings of this audit are

expeditiously resolved.

Please direct any questions or feedback about the information and actions included in this response to Parks

and Trails Division Director Erika Rivers at [email protected] or (651) 259-5591.

Sincerely,

Sarah Strommen

Commissioner, Department of Natural Resources

CC: Lori Leysen, Audit Director, OLA

Barb Naramore, Deputy Commissioner, DNR

Shannon Lotthammer, Assistant Commissioner, DNR

Erika Rivers, Director, Division of Parks and Trails, DNR

Mary Robison, Chief Financial Officer, DNR

Kathleen Shea, Internal Audit Manager, DNR

Equal Opportunity Employer

mailto:[email protected]

Financial Audit Staff

James Nobles, Legislative Auditor Education and Environment Audits Lori Leysen, Audit Director Kelsey Carlson Shannon Hatch Paul Rehschuh Heather Rodriguez Kris Schutta Zakeeyah Taddese Emily Wiant General Government Audits Tracy Gebhard, Audit Director Nicholas Anderson Tyler Billig Scott Dunning Daniel Hade Lisa Makinen Erick Olsen Sarah Olsen Valentina Stone Joseph Wallis Health and Human Services Audits Valerie Bombach, Audit Director Jordan Bjonfald William Hager Zachary Kempen April Lee Crystal Nibbe Duy (Eric) Nguyen Melissa Strunc

Information Technology Audits Mark Mathison, Audit Director Joe Sass Safety and Economy Audits Scott Tjomsland, Audit Director Ryan Baker Bill Dumas Gabrielle Johnson Shelby McGovern Alec Mickelson Tracia Polden Zach Yzermans

For more information about OLA and to access its reports, go to: www.auditor.leg.state.mn.us. To offer comments about our work or suggest an audit, evaluation, or special review, call 651-296-4708 or email [email protected]. To obtain printed copies of our reports or to obtain reports in electronic ASCII text, Braille, large print, or audio, call 651-296-4708. People with hearing or speech disabilities may call through Minnesota Relay by dialing 7-1-1 or 1-800-627-3529.

Printed on Recycled Paper

OFFICE OF THE LEGISLATIVE AUDITOR CENTENNIAL OFFICE BUILDING – SUITE 140

658 CEDAR STREET – SAINT PAUL, MN 55155

O L A

department of natural resources - park fees and retail sales · 13/08/2020 · natural resources...

Documents